PowerDNS Blog

PowerDNS Security Advisories 2025-07 and 2025-08

Written by Otto Moerbeek | Dec 8, 2025 12:29:21 PM

Today we have released PowerDNS Recursor 5.1.9, 5.2.7 and 5.3.3.

These releases fix two PowerDNS Security Advisories:

  • 2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor
  • 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor.

PowerDNS Security Advisory 2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor

  • CVE: CVE-2025-59029
  • Date: 8th December 2025
  • Affects: PowerDNS Recursor 5.3.0 and 5.3.1
  • Not affected: PowerDNS Recursor 5.1.x, 5.2.x and 5.3.2
  • Severity: Medium
  • Impact: Denial of Service
  • Exploit: This problem can be triggered by specific cache contents and a query with qtype ANY
  • Risk of system compromise: None
  • Solution: Upgrade to patched version or prevent requests with qtype ANY

CVSS Score: 5.6, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1

The remedy is: upgrade to a patched version or prevent requests with qtype ANY.

Version 5.3.2 of PowerDNS Recursor was never released publicly, upgrade to version 5.3.3.

PowerDNS Security Advisory 2025-08: Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor

  • CVE: CVE-2025-59030
  • Date: 8th December 2025
  • Affects: PowerDNS Recursor up to and including 5.3.2, 5.2.6 and 5.1.8
  • Not affected: PowerDNS Recursor 5.3.3, 5.2.7 and 5.1.9
  • Severity: High
  • Impact: Denial of Service
  • Exploit: This problem can be triggered by a notify arriving over TCP and allows clearing caches
  • Risk of system compromise: None
  • Solution: Upgrade to patched version or prevent incoming notifies over TCP

CVSS Score: 7.5, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1

The remedy is: upgrade to patched version or prevent incoming notifies over TCP.

Please refer to the changelogs  (5.1.9, 5.2.7 and 5.3.3) for additional details

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (5.1.9, 5.2.7, 5.3.3) (with signature files 5.1.9, 5.2.7, 5.3.3) are available from our download server and packages for several distributions are available from our repository.

Recently we made changes to our Open Source End of Life policy. Older release trains are now supported for one year after the following major release. Consult the EOL policy for more details.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

 
View full post